{"affected":[{"ecosystem_specific":{"binaries":[{"go1.24":"1.24.11-160000.1.1","go1.24-doc":"1.24.11-160000.1.1","go1.24-libstd":"1.24.11-160000.1.1","go1.24-race":"1.24.11-160000.1.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 16.0","name":"go1.24","purl":"pkg:rpm/suse/go1.24&distro=SUSE%20Linux%20Enterprise%20Server%2016.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.24.11-160000.1.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"go1.24":"1.24.11-160000.1.1","go1.24-doc":"1.24.11-160000.1.1","go1.24-libstd":"1.24.11-160000.1.1","go1.24-race":"1.24.11-160000.1.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server for SAP applications 16.0","name":"go1.24","purl":"pkg:rpm/suse/go1.24&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.24.11-160000.1.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for go1.24 fixes the following issues:\n\nUpdate to go1.24.11.\n\nSecurity issues fixed:\n\n- CVE-2025-47912: net/url: insufficient validation of bracketed IPv6 hostnames (bsc#1251257).\n- CVE-2025-58183: archive/tar: unbounded allocation when parsing GNU sparse map (bsc#1251261).\n- CVE-2025-58185: encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion\n  (bsc#1251258).\n- CVE-2025-58186: net/http: lack of limit when parsing cookies can cause memory exhaustion (bsc#1251259).\n- CVE-2025-58187: crypto/x509: quadratic complexity when checking name constraints (bsc#1251254).\n- CVE-2025-58188: crypto/x509: panic when validating certificates with DSA public keys (bsc#1251260).\n- CVE-2025-58189: crypto/tls: ALPN negotiation error contains attacker controlled information (bsc#1251255).\n- CVE-2025-61723: encoding/pem: quadratic complexity when parsing some invalid inputs (bsc#1251256).\n- CVE-2025-61724: net/textproto: excessive CPU consumption in Reader.ReadResponse (bsc#1251262).\n- CVE-2025-61725: net/mail: excessive CPU consumption in ParseAddress (bsc#1251253).\n- CVE-2025-61727: crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN (bsc#1254430).\n- CVE-2025-61729: crypto/x509: excessive resource consumption in printing error string for host certificate validation\n  (bsc#1254431).\n\n\nOther issues fixed and changes:\n\n- Version 1.24.11:\n  * go#76378 internal/cpu: incorrect CPU features bit parsing on loong64 cause illegal instruction core dumps on LA364\n    cores\n\n- Version 1.24.10:\n  * go#75831 net/url: ipv4 mapped ipv6 addresses should be valid in square brackets\n  * go#75951 encoding/pem: regression when decoding blocks with leading garbage\n  * go#76028 pem/encoding: malformed line endings can cause panics\n\n- Version 1.24.9:\n  * go#75860 crypto/x509: TLS validation fails for FQDNs with trailing dot\n\n- Version 1.24.8:\n  * go#75138 os: Root.OpenRoot sets incorrect name, losing prefix of original root\n  * go#75220 debug/pe: pe.Open fails on object files produced by llvm-mingw 21\n  * go#75351 cmd/link: panic on riscv64 with CGO enabled due to empty container symbol\n  * go#75356 net: new test TestIPv4WriteMsgUDPAddrPortTargetAddrIPVersion fails on plan9\n  * go#75359 os: new test TestOpenFileCreateExclDanglingSymlink fails on Plan 9\n  * go#75523 crypto/internal/fips140/rsa: requires a panic if self-tests fail\n  * go#75538 net/http: internal error: connCount underflow\n  * go#75594 cmd/compile: internal compiler error with GOEXPERIMENT=cgocheck2 on github.com/leodido/go-urn\n  * go#75609 sync/atomic: comment for Uintptr.Or incorrectly describes return value\n\n- Version 1.24.7:\n  * go#75007 os/exec: TestLookPath fails on plan9 after CL 685755\n  * go#74821 cmd/go: \"get toolchain@latest\" should ignore release candidates\n  * go#74818 net: WriteMsgUDPAddrPort should accept IPv4-mapped IPv6 destination addresses on IPv4 UDP sockets\n\n- Packaging: migrate from update-alternatives to libalternatives (bsc#1245878).\n- Package svgpan.js to fix issues with \"go tool pprof\" (bsc#1249985).\n- Drop unused gccgo bootstrap code in go1.22+ (bsc#1248082).\n","id":"SUSE-SU-2025:21193-1","modified":"2025-12-12T07:45:36Z","published":"2025-12-12T07:45:36Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2025/suse-su-202521193-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1236217"},{"type":"REPORT","url":"https://bugzilla.suse.com/1245878"},{"type":"REPORT","url":"https://bugzilla.suse.com/1247816"},{"type":"REPORT","url":"https://bugzilla.suse.com/1248082"},{"type":"REPORT","url":"https://bugzilla.suse.com/1249985"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251253"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251254"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251255"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251256"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251257"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251258"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251259"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251260"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251261"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251262"},{"type":"REPORT","url":"https://bugzilla.suse.com/1254430"},{"type":"REPORT","url":"https://bugzilla.suse.com/1254431"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-47912"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-58183"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-58185"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-58186"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-58187"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-58188"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-58189"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-61723"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-61724"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-61725"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-61727"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-61729"}],"related":["CVE-2025-47912","CVE-2025-58183","CVE-2025-58185","CVE-2025-58186","CVE-2025-58187","CVE-2025-58188","CVE-2025-58189","CVE-2025-61723","CVE-2025-61724","CVE-2025-61725","CVE-2025-61727","CVE-2025-61729"],"summary":"Security update for go1.24","upstream":["CVE-2025-47912","CVE-2025-58183","CVE-2025-58185","CVE-2025-58186","CVE-2025-58187","CVE-2025-58188","CVE-2025-58189","CVE-2025-61723","CVE-2025-61724","CVE-2025-61725","CVE-2025-61727","CVE-2025-61729"]}